CVE-2021-42388: 
NixOS vulnerability analysis and mitigation

Heap out-of-bounds read vulnerability (CVE-2021-42388) was discovered in ClickHouse's LZ4 compression codec when parsing a malicious query. The vulnerability was discovered in March 2022 and affects ClickHouse versions up to (excluding) 21.10.2.15. The vulnerability requires authentication but can be triggered by any user with read permissions, even those with the lowest privileges (JFrog Advisory).

As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation. The vulnerability has a CVSS v3.1 Base Score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) (NVD).

The vulnerability can lead to denial of service or information leakage through memory exposure. Accessing memory outside of the buffer's bounds can expose sensitive information or lead to a crash of the application due to segmentation fault (JFrog Advisory).

Users should update ClickHouse to v21.10.2.15-stable version or later. If upgrading is not possible, it is recommended to add firewall rules in the server that will restrict the access to the web port (8123) and the TCP server's port (9000) to specific clients only (JFrog Advisory).